BritiLeaks false start

From LeakDirectory

The original BritiLeaks.org website made so many potentially critical anonymity and security mistakes that it has now, thankfully, been replaced by what should be a much better infrastructure when it officially re-launches:

General Notes

Our Mission Statement:

BritiLeaks.org strives to be the most recognised media body in the UK that deals specifically with leaked information that alleges corruption, wrong-doing, lies, deceit etc.

Our number one aim is to get sensitive information to the public whilst respecting and maintaining the privacy of our source. We do this by purposely not knowing the source of our disclosure from the very beginning and taking measures to make sure the traceability of our source is almost impossible.

We believe that the British public, and humanity at large, deserve nothing more than the truth itself. We will stop at nothing to accomplish this.

Qualsys SSLLabs SSL Server Test rating:

PGP Public Encryption Key

The display of this PGP Key block is mangled by the weebly.com content management system

They should have used the <PRE> and </PRE> HTML tags to display the block correctly and, ideally, should also have published it as a link to a simple .txt or .asc text file on their own website / webspace.

This problem also affected, say, the Filtradas whistleblower website, but they have now fixed this.

As a backup to provide resilience against denial of service attacks or legal or illegal censorship of the main website, it is a good idea to publish the public PGP Key to a PGP Key Server e.g. like this

N.B. Anybody can publish a PGP Key to any public PGP Keyserver, so they are useful as backups, but they cannot be the only method of establishing trust in the validity of a particular PGP key.

This is the same PGP public Key block which BritiLeaks.org have published on their website and it mentions the britileaks@riseup.com etc. details, but this is not their PGP key at all !

BritiLeaks.org do not have access to the corresponding Private Key so anybody who does succeed in unpicking the misplaced carriage Returns / Linefeeds etc. from their web page, will not be able to send them anything that they can de-crypt.

Whistleblower websites should publish the PGP ID and / or PGP Fingerprints and the Expiry Date details on the website itself, in addition to publishing it to PGP Keyservers and elsewhere.

TOR Hidden Service

No

I2P eepsite

No

PrivacyBox.de

No

Hushmail Secure Form

No

Leak Submission Anonymity

TOR users blocked from access

No

3rd Party or persistent tracking cookies or graphics

Yes !

Quantserve Javascript and "web bug" graphics betray most visitors' web browser and IP address details to this commercial web tracking company in the USA